79/tcp open finger
111/tcp open rpcbind
22022/tcp open ssh
User enumeration with Finger
SSH bruteforce gives the password sunday for the user
Crack shadow file to login as other user sammy
User sammy is allowed to use wget as root
Overwrite the sudoers file to get root
Finger the host to get a user who is logged in:
Bruteforce the account with a small wordlist
Login to the account and start enumerating the system.
There is a folder called backup in the root dir with a copy of the shadow files:
Unshadow the file to get the hashes
Now crack with john and rockyou.
Login as the user sammy with the password cooldude!
Find your user.txt
Cat the file to get the flag.
Sudo -l gives you
We can overwrite files with wget so to exploit create a file locally and host it with python called sudoers with the contents
sammy ALL=(ALL) NOPASSWD:ALL
Once downloaded you have overwritten the sudoers file so all that remains is to sudo su to get root.